Data protection declaration
The present data protection declaration informs you about the means, the scope and the purpose of processing personal data (simply referred to as “data” in the following) when using our online offer and the websites, functions and content connected to it as well as our external online presence, such as our social media profiles (simply referred to as “online offer” in the following). As for the use of certain terms, such as “personal data” or the “processing” thereof, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Data protection officer:
Mandatory data protection officer
We have appointed a data protection officer for our company.
ORA IT-Systeme GmbH
73730 Esslingen a. N.
Telephone: +49 711 901266-00
Kinds of data processed by us:
- contact data
- content data
- usage data
- meta and communication data
Processing of special categories of personal data (Art. 9 Par. 1 GDPR):
No special categories of personal data are processed.
Categories of people affected by data processing:
- Customers / interested parties / suppliers.
- Visitors and users of the online offer.
In the following the people concerned will be referred to as „users“.
Purpose of processing:
- Making available the online offer, its contents and functions.
- Replying to contact requests and communication with users.
- Marketing, advertising, and market research.
Relevant legal basis
In accordance with Art. 13 GDPR we are informing you of the legal basis of our data processing. As long as the legal basis is not specifically mentioned in the data protection declaration, the following applies: the legal basis for obtaining consent are Art. 6 Par. 1(a) and Art. 7 GDPR, the legal basis for data processing in order to provide our services, fulfill contractual obligations as well as respond to inquiries is Art. 6 Par. 1(b) GDPR, the legal basis for data processing in order to fulfill our legal obligations is Art. 6 Par. 1(c), and the legal basis for data processing in order to pursue our legitimate interests is Art. 6 Par. 1(f) GDPR. Should the vital interests of the data subject or of another natural person require the processing of personal data, Art. 6 Par. 1(d) GDPR shall serve as a legal basis.
Changing and updating the data protection declaration
We ask you to regularly check the content of our data protection declaration. We update our data protection declaration whenever changes in our data processing require us to do so. We will inform you whenever these changes require some action on your part (for example consent) or if another individual notification is required.
- As regulated in Art. 32 GDPR we shall take the appropriate technical and organizational measures to provide a safety level proportional to the risks, taking into account the state of technology, cost of implementation, the manner, scope, circumstances and purpose of data processing as well as the different likelihoods and degrees of risk to the rights and freedom of natural persons; among these measures are specifically the control of physical access to the data, as well as its access, input, dissemination, availability and separation in order to ensure privacy, integrity and availability of the data. We have also implemented a process that guarantees user’s rights, the deletion of data and a reaction in the case of danger to the data. Furthermore, we take the protection of personal data into account during the development or selection of hardware, software as well as processes that include the principle of data protection through the design of technology as well as privacy-protecting default settings (Art. 25 GDPR).
- One of the specific safety measures is the encrypted data transfer between your browser and our server.
Cooperation with subcontractors and third parties
- If in the course of our data processing we disclose, send or grant access to data to other persons or companies (subcontractors or third parties), we will do this only on a sound legal basis (for example, when the transfer of data to a third party, such as a financial service provider, is necessary to fulfilling contractual obligations according to Art. 6 Par. 1(b) GDPR), when consent has been obtained, if it is a legal obligation, or on the basis of pursuing our legitimate interests (for example when using a representative, web hosting, etc.).
- If we entrust third parties with data processing on the basis of a so-called “processing contract”, this shall be in accordance with Art. 28 GDPR.
Transfers of data to third countries
In case of processing data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)) or when this processing happens in the course of services from a third party or when data is disclosed or transferred to third parties, this shall only happen as part of fulfilling our (pre)contractual obligations, on the basis of consent, on the basis of a legal obligation or in the pursuit of our legitimate interests. Unless there is legal or contractual allowance, we shall only process data or have data processed in a third country in accordance with the specific conditions established in Art. 44 ff. DGPR. That is to say that processing is carried out on the basis of special guarantees, such as the official recognition of a data protection level similar to that of the EU (in the US, for example, via the “privacy shield”) or on the basis of officially recognized special contractual obligations (known as “standard contractual clauses”).
Rights of the data subjects
- You have the right to demand confirmation that data concerning you is being processed, as well as to demand information about the data, further information and copies of the data according to Art. 15 GDPR.
- In accordance with Art. 16 GDPR you have the right to demand the completion of incomplete personal data as well as the rectification of inaccurate personal data.
- You have the right to demand the immediate erasure of personal data according to Art. 17 GDPR or, alternatively, to demand restrictions in the processing of the data according to Art. 18 GDPR.
- You have the right to receive the data you have provided us with and to demand its transfer to another controller according to Art. 20 GDPR.
- In accordance with Art. 77 GDPR you have the right to lodge a complaint with a supervisory authority.
Right of withdrawal
In accordance with Art. 7 Par. 3 GDPR you have the right to withdraw consent to any future processing of your personal data.
Right to object
In accordance with Art. 21 GDPR you can at any time object to the future processing of your personal data. This objection may specifically be against the data being processed for direct marketing purposes.
Erasure of data
- Data processed by us is subject to erasure or limitations in processing in accordance with Art. 17 and 18 GDPR. Unless otherwise specified in this data protection declaration, data stored with us is erased when it is no longer needed to fulfill its purpose and erasure is not prevented by legal statutes. Should the data not be erased because it is required for legal purposes, its use will be limited. That means the data will be blocked and not used for other purposes. This applies to data that must be stored for commercial accounting or tax reasons, for example.
- According to legal requirements storage is mandatory for 6 years according to Art. 257 Par. 1 HGB (bookkeeping, inventory, opening balances, annual financial statements, commercial correspondence, accounting records, etc.) as well as for 10 years according to Art. 147 Par. 1 AO (books, records, reports, accounting records, commercial correspondence, tax-related documents, etc.).
- On first contact with us (via contact form or email) the user data will be used for the processing and reply to the inquiry according to Art. 6 Par. 1(b) GDPR.
- User data may be stored in our Customer Relationship Management System (“CRM System”) or similar data base.
Collection of access data and log files
- On the basis of pursuing our legitimate interests according to Par. 6 Art. 1(f) GDPR we collect data about every access to the server which hosts our services (so-called server log files). The access data includes the name of the website visited, file, date and time of access, data volume transferred, successful access confirmation, browser type and version, the OS of the user, referrer URL (the site visited just before), IP-address and the connecting internet provider.
- Log file information is stored for a maximum of seven days for security reasons (for example for the investigation of misuse or fraud) and then deleted. Data which needs to be stored further as evidence, is exempt from deletion until the clarification of the particular incident.
Integration of third party services and content
- On the basis of our pursuit of our legitimate interests (i.e. an interest in analyzing, optimizing and the economical operating of our online offer in accordance with Par. 6 Art. 1(f) GDPR) we use content and service offers from third parties, in order to integrate their content, such as videos or fonts (referred to as “content” in the following). This requires the third party providers to see the IP-address of the user, as without the IP-address they would not be able to send their content to the user’s browser. In other words, the IP-address is necessary to the displaying of these contents. It is our aim to use only content whose providers use the IP-address solely for the purpose of delivering their content. Third party providers can also use so-called “pixel-tags” (invisible graphic elements, also known as “web beacons”) for statistical or marketing purposes. These pixel-tags can be used to collect information, such as visitor traffic on the website. The pseudonymous information may also be stored in cookies on the user’s device and may contain information about, among others, the browser and the operating system, referring URLs, time of visit and further information regarding the use of our online offer, and it may be linked to similar information from other sources.
- We use Adobe Typekit for the visual design of our online offer. Typekit is a service from Adobe Systems Software Ireland Ltd., which allows us access to a font library. To include the fonts used by us your browser needs to establish a connection to an Adobe server in the USA and download the font needed for our website. Adobe thus receives the information that your IP-address has opened our website. Please find further information about Adobe Typekit in the data protection statement of Adobe at: https://www.adobe.com/privacy/policies/adobe-fonts.html.
- We use Monotype MyFonts for the visual design of our online offer. MyFonts is a service from Monotype Imaging Holdings Inc., which allows us access to a font library. To include the fonts used by us your browser needs to establish a connection to a Monotype server in the USA and download the font needed for our website. Monotype thus receives the information that your IP-address has opened our website. Please find further information about Monotype MyFonts in the data protection statement of Monotype at: https://www.myfonts.com/info/legal/#Privacy.
- Our online offer uses plugins from the video portal Vimeo, provided by Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA. When you visit one of our webpages that includes a Vimeo plugin, a connection is established with the Vimeo servers. Vimeo will be informed about which of our webpages you have visited. Also Vimeo will know your IP-address. This is also true if you are not logged in at Vimeo or don’t have an account with Vimeo. The information collected by Vimeo will be transferred to the Vimeo server in the USA. If you are logged in to your Vimeo account, you allow Vimeo to associate your browsing activity with your personal user profile. You can avoid this by logging out of your Vimeo account before visiting our webpage. Please find further information about the handling of user data in Vimeo’s data protection statement at https://vimeo.com/privacy.